29. Managing operational risks Flashcards

1
Q

What are the characteristics of desirable operational risk controls

A
  • Focussed on results
  • In place for measurable and non-measurable events
  • Standardised for efficient communication
  • High quality, to improve management
  • Few rather than many
  • Meaningful and appropriate
  • Timely, to give sufficient warning
  • Simple, so easily understood
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What risks are associated with outsourcing

A

o Failure to deliver commitments
o Reduced control over processes and people

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What considerations must you take before entering an outsourcing agreement

A

o Regulatory environment and status of 3rd party
o Financial standing of 3rd party
o Competency, business continuity plans and risk processes
o Legal agreement with 3rd party incl. right to terminate, and 3rd party’s right to sub-contract
o How 3rd party will be monitored

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

List examples of external events

A

o Loss of IT / telephone capacity
o Loss of people and skills
o Bad PR / negative publicity
o Disrupted supply chains
o Fire/flooding/high winds
o Protest from pressure groups (e.g. animal rights activists)
o Terrorist damage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain how business continuity and crisis management can be used to manage risk

A
  • BC defn: safeguarding business’s reputation, brand and other value-creating activities
  • Develop BCP and test it regularly
    o Reassures stakeholders that business interruption risks managed
  • E.g.
    o Offsite back-ups of data in case hard drive fails
    o Renting redundant office block and computer system ready for activation
  • CMP
    o Ensures clear and organised responses in event of significant incident
    o CM Group takes control of issue and co-ordinates action
  • Could take advantage of unexpected gains or reduce losses in event of critical incident
  • Consequential loss insurance for compensation for loss of profits due to business disruption
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How would you manage reputational risks

A

o Stay aware of regulatory and legal changes and likely impact
o Influence changes through lobbying

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How would you manage technology risk?

A
  • Keep systems up-to-date – balance functionality with costs
  • Routine maintenance – esp for IT solutions developed in-house
  • Thorough testing for robustness and compatibility when introducing new IT systems
  • Quick response to IT helpdesks to deal with minor IT issues
  • Train staff – e.g. phishin
  • Restric employees’ social media usage or devises that might circumvent IT security e.g. usb drives
  • Implement and test security software and routines
    o e.g. firewalls, backups and regular password changes
    o To prevent cyber attacks and ensure data rapidly recovered in event of loss
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

In what ways to people introduce risk to organisation

A
  • Employment
  • Adverse selection
  • Moral hazard
  • Agency risk
  • Bias
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Suggest ways to manage risks associated with employment

A
  • Recruitment processes
    o Cost effective recruitment of right people
    o Enforceable employment contracts
  • Competency management processes
    o Training requirements – incl. induction, CPD and professional qualifications
    o Risk training enhances understanding of risk management
  • Appraisals and performance management processes
    o Talent management – promotion and transfer
    o Retaining right employees
    o Identify poor performers, support and disciplinary action
    o NED must regularly appraise skills, knowledge and expertise and undertake professional development where necessary
  • Relationship management
    o Employment-related collective bodies, e.g., unions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Suggest ways to manage risks associated with adverse selection

A
  • Underwriting
  • Product design
  • Pricing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Suggest ways to manage risks associated with moral hazard

A
  • Make consequences unattractive – e.g. make it an offence to make fraudulent claim
  • Prevention – e.g. ensure insurable interest
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Suggest ways to manage agency risk

A
  • Use incentivising performance and remuneration structure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Suggest ways to manage risks associated with bias

A
  • Checks and balances built into system
  • Assessments must be checked by an independent and competent checker
  • Consider introducing an “optimism bias” into appraisal of capital projects
  • Education on unintentional bias
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Suggest ways to manage process risk / change management

A
  • Pilot studies
  • Precise definition of requirements of new solution to best meet needs of whole org
  • Design systems that can be easily maintained, enhanced and upgraded
  • Carefully deploy new systems by educating users
  • Must stress test new system in isolation and within larger org
  • Must review new processes regularly for effectiveness
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Suggest ways to manage model risk

A
  • Ensure robust process around choice of model
  • Document processes for model and assumptions
  • Clear audit trails and change-management routines
  • Test model thoroughly before use
  • Maintain and develop model over time, with regular reviews
  • Ensure staff adequately trained and clear accountabilities
  • Understand key drivers / assumptions in model …
    … and subject model to tests of parameter uncertainty
  • Use models only for intended purpose
  • Appreciate limitations of model
  • Avoid overly complex models (principle of parsimony)
  • Ensure workings and results are easy to communicate and appreciate …
    … and capable of independent verification for reasonableness
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Suggest ways to manage data risk

A
  • Limit what can be entered to what is valid, eg range checks
  • Check data entry (spot checks, consistency checks, reasonableness)
  • Recheck data on transfer and , remove duplicates
  • Ensure data is credible …
    … and relevant for its purpose esp if using external data
  • Carry out regular backups of data
  • Ensure data stored securely
  • Ensure staff adequately trained, eg in data protection, handling big data
17
Q

Suggest ways to manage reputational risk

A
  • Sound ERM framework
  • BCP and CMP
  • Strong relationships with key stakeholders
18
Q

How would you manage market liquidity risk

A
  • Varying investment strategy
  • Use swaps
  • Contingency fund with high-quality, liquid assets
19
Q

How would you manage funding liquidity risk

A
  • Diversify sources of funding by type and term
  • Continuous monitoring of ability to raise extra capital
  • Contingency sources of funding to draw upon in stressful times e.g. line of credit
20
Q

How is feedback risk managed?

A
  • Invest only in exchanged-traded instruments, to pool/diversify counterparty risk
  • Suspending trading on stock exchange by circuit breakers if theres a large market movement
  • Govt / central banks intervening to prop up a bank by acting as lender of last resort, or reduce financial consequences (eg reduce interest rates)
  • Regulations requiring establishment of additional reserves (eg Basel III requires companies to build up additional reserves in “good times”)
  • Avoid regulations increasing pro-cyclicality, eg solvency regulations encouraging all similar organisations to adopt similar investment and risk mitigation strategies
  • Physically separating types of businesses
21
Q

What is the seven step enterprise wide process for transferring operational risks

A
  • Identify operational risk exposures
  • Quantify probabilities, severities and capital requirements
  • Integrate operational risk with credit and market risk to get enterprise-wide risk profile
  • Establish operational risk limits
  • Implement internal controls
  • Develop risk transfer and financing strategies
  • Evaluate alt providers and structures based on cost/ benefit analysis
    o Compare ceded risk-adjusted return on capital to cost of equity to see if it enhances shareholder value